I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error.
chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod
Volatile Systems Volatility Framework 2.3_alpha
WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected
AMD64PagedMemory: Failed valid Address Space check
JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected
On a hunch I checked the directory I built the profile in (copied headers & source from the target system):
chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo *
System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo
System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open
System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq
System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq
System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq
System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op
System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations
System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq
System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq
System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq
Platform running Volatility (2.3_alpha, latest from svn):
Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Source of memory image:
Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
What am I missing?
Working on a system that has been beaconing out to bad places and noticed
this in the 'pstree' output (abbreviated):
Name Pid PPid
-------------------------------------------------- ------ ------
0x894ca030:csrss.exe 580 484 ...
0x8f25b5b0:wininit.exe 632 484 ...
. 0x8f379d40:services.exe 692 632 ...
.. 0xb12484c0:FireSvc.exe 2064 692 ...
.. 0xaecc6d40:svchost.exe 3332 692 ...
.. 0xb3eeb030:svchost.exe 3780 692 ...
.. 0x85e518e8:msdtc.exe 5332 692 ...
... 0x82651d40:explorer.exe 5400 5332 ...
.... 0x85dcc3b0:pmcs.exe 1608 5400 ...
.... 0x85dc9240:EpePcMonitor.e 6108 5400 ...
.... 0x85c92030:BTTray.exe 4744 5400 ...
.... 0x8652c928:iexplore.exe 7028 5400 ...
..... 0x86721030:iexplore.exe 7364 7028 ...
...... 0x866f2030:jp2launcher.ex 5356 7364 ...
....... 0x8678c408:java.exe 7700 5356 ...
Is it just me or is msdtc.exe a very odd parent for explorer.exe? I would
normally expect userinit.exe to start explorer and then exit, leaving it
with no visible parent.
Any input appreciated...
-=[ Steve ]=-
I'm currently doing some memory analysis, and I'm using Notepad on Windows 7 x64 as an example.
My question is this: is there any way to link a _FILE_OBJECT back to the process that generated it, without a valid handle, or an entry in the VAD tree.
This article discusses it: http://computer.forensikblog.de/en/2009/04/linking-file-objects-to-processe… - however, this approach only works if there is a valid handle for the open file.
Here's an example:
I open notepad, and open a simple text file that contains "This is the contents of the file". Performing a scan over the memory dump reveals this data in two locations:
1 - 0x1448f000 - This is the contents of the file found through the _FILE_OBJECT->SectionObjectPointers->DataSectionObject. This points to a control area, and through that I can locate the Subsection-BasePTE which shows that the page is in transition and has a PFN of 0x1448f. So this allows me to the find the data through the _FILE_OBJECT
2 - 0x39d336b0 - This address is currently part of Notepad's private heap, which is where the data has been mapped into.
So examining the two pages through WinDbg gives me this information:
lkd> !pfn 1448f PFN 0001448F at address FFFFFA80003CDAD0 flink 00015B8F blink / share count 00013ED5 pteaddress FFFFF8A0008AD010 reference count 0000 used entry count 0000 Cached color 0 Priority 5 restore pte FA800325553004C0 containing page 00ABBA Standby P Shared lkd> !pte FFFFF8A0008AD010 1 VA fffff8a0008ad010PXE at FFFFF8A0008AD010 PPE at FFFFF8A0008AD010 PDE at FFFFF8A0008AD010 PTE at FFFFF8A0008AD010contains 000000001448F8C0not valid Transition: 1448f Protect: 6 - ReadWriteExecute
As can be seen, the page containing the original data is shared, is on the standby list, and points to a prototype PTE.
lkd> !pfn 39d33 PFN 00039D33 at address FFFFFA8000AD7990 flink 00039D88 blink / share count 00039D1E pteaddress FFFFF6800001CAC8 reference count 0000 used entry count 0000 Cached color 0 Priority 3 restore pte 1635500000080 containing page 0274B8 Standby
lkd> !pte FFFFF6800001CAC8 1 VA fffff6800001cac8PXE at FFFFF6800001CAC8 PPE at FFFFF6800001CAC8 PDE at FFFFF6800001CAC8 PTE at FFFFF6800001CAC8contains 0000000000000000not valid
The PTE within Notepad's heap is marked as not valid, but also shows that the page is on the standby list.
As the page located through the FILE_OBJECT is marked as shared, and points to a prototype PTE, is there anyway of locating this prototype PTE, and using it to track back to Notepad? So for instance, would it be possible to locate the PPTE by searching memory for the 'MmSt' tag, and then parse the PPTE to gain any information. Or does the PPTE not track backwards in that way?
Essentially, if the page containing the data found through the _FILE_OBJECT is shared, what is it shared with, and is it possible to track this information, using either the PFN database, prototype PTE entries, or something else I haven't thought of.
Any input or advice would be appreciated.
I was writing to let everyone know that I will be speaking Friday at RSA
on investigating Mac malware with Volatility and Volatility's Mac
support in general. If you are going to the conference you should check
out the talk and come say 'hi' after:
C:\Volatility>python vol.py timeliner -f
Volatility Foundation Volatility Framework 2.3.1
Traceback (most recent call last):
File "vol.py", line 184, in <module>
File "vol.py", line 175, in main
File "C:\Volatility\volatility\commands.py", line 122, in execute
File "C:\Volatility\volatility\plugins\timeliner.py", line 88, in
for line in data:
File "C:\Volatility\volatility\plugins\timeliner.py", line 312, in
UnicodeEncodeError: 'ascii' codec can't encode character u'\xae' in
position 156: ordinal not in range(128)
Looks like I may have a martian character in a string somewhere...
-=[ Steve ]=-
We are writing to announce that we now have public trainings scheduled
in Australia, London, New York, and Virginia! The New York and London
trainings will be selling out soon so we suggest contacting us ASAP if
you wish to attend either of those.
We have also already received significant interest in the Australia
course and have a large notification list for it. Please contact us if
you would like to be added.
Finally, the team is happy to announce that we now have a dedicated
website for training at http://www.memoryanalysis.net.
For full information on each training and the new website, please see
our recent blog post:
If you want to to learn memory forensics skills from the researchers and
developers behind Volatility then you should consider signing up for one
of our courses. Not only will you leave being an expert in Volatility
and Windows internals, but you will also be able to perform malware
analysis and incident response along side the best in the industry.
I've been trying to get/dump a copy of a certain registry hive from the memory. Managed to list down their offsets using hivelist plugin but unable to find ways of dumping them to files. My intention is to load it to other tools such as regripper as input/target registry files.
Has any one found a way of doing it?
Thank you very much in advance.
So was the fix just to switch to lime format or did you also need the
patch? This will help us keep better documentation for future bug reports.
Also, is there a reason you need the raw sample? If you are looking for
a sample without any metadata, the best version would be 'padded' since
it zero fills the offsets between RAM sections, but note that you can
get a HUGE file, especially on 64 bit systems.
The raw version of LiME simply concatantes regions together (does not
pad), which make offsets found from virtual address translation off.
This is why Volatility (and other tools) cannot process most raw Lime dumps.
On 2/6/2014 10:45 AM, Torres, Geoff (Global Cyber Security) wrote:
> OK, we're making progress...
> Michael Ligh also suggested that article. I had dismissed it as not applicable because it was regarding CentOS 5.3 and the earliest I've been attempting is 5.8. My apologies for not trying it sooner.
> It did work for the Lime format, but not the Raw format which is ultimately what I need. Would different offsets work for the raw format? Is it possible to convert a raw format image into Lime format?
> Also, does this mean that I need different volatility code for different kernels?
> My role is to perform forensic analysis on compromised systems. I can conceivably get any type of system and I get them in large enough volume that I've been developing scripts to automate these sort of tasks.
> Thanks for all your help so far,
> -----Original Message-----
> From: Andrew Case [mailto:email@example.com]
> Sent: Thursday, February 06, 2014 7:32 AM
> To: Torres, Geoff (Global Cyber Security); 'vol-users(a)volatilityfoundation.org'
> Subject: Re: [Vol-users] Difficulty creating CentOS profiles
> I believe you are having the same issues that we diagnosed here:
> Could you please edit your code as MHL explains to account for the shift? It only requires two small changes to the existing code. Note that the line numbers may be different since the code has been update since then but if you search for the 0xffffffff80000000 number in each file you will be able to find it.
> Also we would recommend acquiring in the lime format "format=lime"
> instead of acquiring in the raw one.
> Let me know how it goes.
> Andrew (@attrc)
> On 2/5/2014 5:26 PM, Torres, Geoff (Global Cyber Security) wrote:
>> I've been unable to create a working Linux profile for any version of
>> CentOS. It compiles fine but gives a 'No suitable address space
>> mapping found' error when ran against the memory image.
>> I've been successful creating various Debian and Ubuntu profiles, but
>> CentOS has yet to work. I'm sure it's something simple but I can't
>> figure it out. I'm certain that I'm matching kernel versions
>> correctly and that the build process is the same as I use for the Ubuntu versions.
>> I've attached the details of my most recent attempt. It's a vanilla
>> CentOS 5.10 install on VmWare. The memory image is available (250Mb
>> zip) if necessary.
>> Any ideas? None of the solutions I found in Google seem to address my
>> BTW - I'm not a kernel programmer so please be detailed if there's
>> something you'd like me to try.
>> Vol-users mailing list
I've been unable to create a working Linux profile for any version of CentOS. It compiles fine but gives a 'No suitable address space mapping found' error when ran against the memory image.
I've been successful creating various Debian and Ubuntu profiles, but CentOS has yet to work. I'm sure it's something simple but I can't figure it out. I'm certain that I'm matching kernel versions correctly and that the build process is the same as I use for the Ubuntu versions.
I've attached the details of my most recent attempt. It's a vanilla CentOS 5.10 install on VmWare. The memory image is available (250Mb zip) if necessary.
Any ideas? None of the solutions I found in Google seem to address my issue.
BTW - I'm not a kernel programmer so please be detailed if there's something you'd like me to try.